Data Processing Agreement

1. Definitions

Terms not defined herein shall have the meanings given in the Agreement and the GDPR. In addition:

• "Personal Data" means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller under this DPA.
• "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

2. Subject Matter and Duration

2.1 Subject Matter

The Processor shall process Personal Data on behalf of the Controller to provide the Vora Platform services as described in the Agreement, including governance management, voting, loyalty programmes, and e-commerce integrations.

2.2 Duration

This DPA shall remain in effect for the duration of the Agreement. Processing shall cease upon termination of the Agreement, subject to the data deletion obligations set out in Section 10.

3. Nature and Purpose of Processing

The Processor processes Personal Data for the following purposes:

• Providing and operating the Vora governance platform
• Managing user accounts, organizations, and memberships
• Processing votes and recording governance outcomes
• Operating loyalty programmes (XP, badges) for e-commerce integrations
• Generating claim links for e-commerce customers to create accounts
• Sending service-related notifications
• Providing analytics and reporting to the Controller
• Ensuring platform security and fraud prevention

4. Types of Personal Data

The following categories of Personal Data may be processed:

5. Categories of Data Subjects

• Organization administrators and authorized users
• Members participating in governance activities
• E-commerce customers of Shopify merchants using the Vora integration
• Idea challenge participants

6. Obligations of the Processor

The Processor shall:

• (a) Process Personal Data only on documented instructions from the Controller, unless required by EU or Member State law. The Agreement and this DPA constitute the Controller's complete instructions. Any additional instructions require written agreement.
• (b) Ensure that persons authorised to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
• (c) Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
  • Encryption of data in transit (TLS) and at rest
  • Secure password hashing (bcrypt/Argon2)
  • Role-based access controls
  • Regular security assessments and audit logging
  • Data backup and disaster recovery procedures
• (d) Comply with the conditions for engaging Sub-processors as set out in Section 7.
• (e) Assist the Controller in responding to Data Subject requests to exercise their rights under Chapter III of the GDPR, taking into account the nature of the processing.
• (f) Assist the Controller in ensuring compliance with Articles 32 to 36 of the GDPR (security, breach notification, data protection impact assessments, and prior consultation), taking into account the nature of processing and information available to the Processor.
• (g) Delete or return all Personal Data upon termination as set out in Section 10.
• (h) Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

7. Sub-processors

7.1 General Authorisation

The Controller provides general written authorisation for the Processor to engage Sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, providing the Controller with an opportunity to object within thirty (30) days.

7.2 Current Sub-processors

7.3 Sub-processor Obligations

The Processor shall impose the same data protection obligations as set out in this DPA on each Sub-processor by way of a contract. The Processor shall remain fully liable to the Controller for the performance of any Sub-processor's obligations.

8. International Transfers

Where Personal Data is transferred outside the European Economic Area, the Processor shall ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR, including:

• Standard Contractual Clauses (SCCs) adopted by the European Commission
• Adequacy decisions by the European Commission
• Other lawful transfer mechanisms

The Processor maintains Standard Contractual Clauses with all Sub-processors located outside the EEA.

9. Data Breach Notification

9.1 Notification

The Processor shall notify the Controller without undue delay and in any event within seventy-two (72) hours of becoming aware of a Data Breach affecting Personal Data processed on behalf of the Controller.

9.2 Content of Notification

The notification shall include:

• A description of the nature of the Data Breach, including categories and approximate number of Data Subjects and records affected
• The name and contact details of the Processor's data protection contact
• A description of the likely consequences of the Data Breach
• A description of the measures taken or proposed to address the Data Breach

9.3 Cooperation

The Processor shall cooperate with the Controller and take all reasonable steps to assist in the investigation, mitigation, and remediation of the Data Breach.

10. Data Deletion and Return

10.1 Upon Termination

Upon termination of the Agreement, the Processor shall, at the Controller's choice, delete or return all Personal Data within ninety (90) days, and delete existing copies unless EU or Member State law requires storage.

10.2 E-Commerce Data (Shopify)

Upon uninstallation of the Shopify app by a merchant, the Processor shall delete all customer data associated with that merchant's store within forty-eight (48) hours, except where a customer has independently claimed a Vora account (in which case that account data is governed by the direct relationship between the customer and Cathedral).

10.3 Certification

The Processor shall certify deletion in writing upon the Controller's request.

11. Audit Rights

The Controller has the right to audit the Processor's compliance with this DPA, subject to the following conditions:

• The Controller shall provide at least thirty (30) days' written notice of an audit
• Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations
• The Controller shall bear the costs of any audit
• Audit results shall be treated as Confidential Information
• The Processor may satisfy audit requests by providing relevant third-party certifications, audit reports, or compliance attestations

12. Joint Controllership for Voter-Identity Sharing (Art. 26 GDPR)

This Section 12 sets out the essence of the joint-controller arrangement entered into between Cathedral and the Customer (the Organization) pursuant to Article 26(1) GDPR for the specific processing activity described below. It is made available to data subjects in accordance with Article 26(2) GDPR through the Vora Privacy Policy (§6.3).

12.1 Scope of the Joint-Controller Arrangement

This Section 12 applies only to the processing of a Member's email address where the Member has expressly opted in, at the time of casting an individual vote on a proposal owned by the Customer, to share that data with the Customer. It does not apply to any other processing activity governed by this DPA, in respect of which Cathedral remains a Processor for the Customer.

12.2 Joint Controllers

• Cathedral s.r.l.s (Vora) — joint controller responsible for collecting, recording, and proving the Member's consent (Art. 6(1)(a) and Art. 7 GDPR), transmitting the data to the Customer through the Vora platform interface, and maintaining a tamper-evident audit trail of every administrative access by the Customer (Art. 30 GDPR).
• The Customer (Organization) — joint controller responsible for any subsequent use of the email address on its own systems, including (without limitation) follow-up communications, marketing where additional consent has been obtained, CRM ingestion, and exercise of data-subject rights against the Customer.

12.3 Allocation of Responsibilities

12.4 Single Point of Contact for Data Subjects

Notwithstanding the allocation above, and in accordance with Art. 26(3) GDPR, a Member may exercise their rights against either joint controller. Members are encouraged to contact the Customer directly for matters under the Customer's exclusive control and to contact privacy@cathedral.technology for matters under Cathedral's control or for assistance in routing the request. Cathedral will forward any request received in error to the Customer without undue delay.

12.5 Withdrawal of Consent

A Member may withdraw consent to the sharing at any time, with immediate effect, through the in-product self-serve withdrawal interface in their account profile (Privacy tab) or by writing to privacy@cathedral.technology. Cathedral shall (i) flag the corresponding ConsentRecord as withdrawn, (ii) cease further transmission of the Member's data to the Customer in respect of the relevant vote, and (iii) notify the Customer of the withdrawal without undue delay. The Customer shall, upon receipt of such notification, cease any further processing for the purposes that depended on that consent and erase the data unless it identifies and documents a different lawful basis under Art. 6 GDPR.

12.6 Liability between the Joint Controllers

Each joint controller shall be responsible to the data subject for the entire damage in accordance with Art. 82(4) GDPR. As between Cathedral and the Customer, each party shall bear the costs, fines, and damages attributable to its own breach of this Section 12 or of the GDPR. Where a fine or damages cannot be reasonably allocated to a single party, the parties shall share liability proportionally to their respective fault.

12.7 Effective Date and Acceptance

This Section 12 takes effect on the Effective Date of this DPA and applies automatically to any opt-in voter-identity sharing collected through the Vora platform thereafter. The Customer accepts this Section 12 by continuing to use the voter-identity-sharing feature after the Effective Date. The Customer may opt out of the feature at any time by disabling the per-vote consent prompt in its proposal configuration, in which case no Member email will be transmitted to the Customer through this mechanism.

13. General

13.1 Precedence

In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to data protection matters. In the event of any conflict between Section 12 (Joint Controllership) and the remainder of this DPA, Section 12 shall prevail in respect of the processing activity within its scope.

13.2 Governing Law

This DPA shall be governed by the laws of the Italian Republic, in accordance with the governing law provisions of the Agreement.

13.3 Amendments

This DPA may be updated by the Processor to reflect changes in applicable data protection law. Material changes will be communicated to the Controller with at least thirty (30) days' notice.

Copyright © 2026 Vora s.r.l.s. All rights reserved.